Analysis
-
max time kernel
9s -
max time network
59s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 00:32
Static task
static1
Behavioral task
behavioral1
Sample
sync_spoofer.exe
Resource
win10-20240404-en
General
-
Target
sync_spoofer.exe
-
Size
6.8MB
-
MD5
7a09738f8033d766e8b03463389f0e20
-
SHA1
b453feaf2a393f9cb7a81804594bc0d8ddcff48d
-
SHA256
f5a8adbb37ce76781117aad88c8c4c9e2b8d7bdd3c3378afdb7dc37c66134b59
-
SHA512
6acb6043716df9c01e9a9e73963d361e4cef1608fdfd10217d1d8ed3d9ff4ca44cf5f1dbbe4f2ffd1a8de9ae71eeee0171a8cf341ce8c2085e2e40123830ad7d
-
SSDEEP
98304:3J86VheatbLbVVjFuvsw6TUSf47SbICvdH89fL8JaeCl9Kaw8TPObUPma9/l7i:3W6VhjFCzXSs09X789KaeQtW
Malware Config
Signatures
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2200 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3220 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 648 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 1252 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 1252 schtasks.exe -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe family_purelog_stealer behavioral1/memory/920-13-0x00000000002A0000-0x0000000000378000-memory.dmp family_purelog_stealer -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe Nirsoft C:\ProgramData\Microsoft\Windows\DevManView.exe Nirsoft -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1152 powershell.exe 4312 powershell.exe 3372 powershell.exe 2396 powershell.exe 4628 powershell.exe 592 powershell.exe 3876 powershell.exe 3000 powershell.exe -
Executes dropped EXE 19 IoCs
Processes:
HpsrSpoof.exesp_componentbrowserFontDriverPerf.execonhost_sft.exeVolumeid64.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exepid process 4024 HpsrSpoof.exe 920 sp_componentbrowserFontDriverPerf.exe 976 conhost_sft.exe 1240 Volumeid64.exe 200 DevManView.exe 4432 DevManView.exe 4056 DevManView.exe 4928 DevManView.exe 308 DevManView.exe 196 DevManView.exe 908 DevManView.exe 208 DevManView.exe 2292 DevManView.exe 2824 DevManView.exe 356 DevManView.exe 3304 DevManView.exe 4568 DevManView.exe 3184 DevManView.exe 4284 DevManView.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc process File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 5 pastebin.com 6 pastebin.com 7 pastebin.com 2 pastebin.com 3 pastebin.com -
Maps connected drives based on registry 3 TTPs 53 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 2964 powercfg.exe 1372 cmd.exe 2952 powercfg.exe 4944 powercfg.exe 356 powercfg.exe 4572 cmd.exe 984 powercfg.exe 1176 powercfg.exe 2200 powercfg.exe 5056 powercfg.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
sync_spoofer.exepid process 4300 sync_spoofer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
sp_componentbrowserFontDriverPerf.exedescription ioc process File created C:\Program Files\Windows Portable Devices\fontdrvhost.exe sp_componentbrowserFontDriverPerf.exe File opened for modification C:\Program Files\Windows Portable Devices\fontdrvhost.exe sp_componentbrowserFontDriverPerf.exe File created C:\Program Files\Windows Portable Devices\5b884080fd4f94 sp_componentbrowserFontDriverPerf.exe -
Drops file in Windows directory 3 IoCs
Processes:
sp_componentbrowserFontDriverPerf.exeDevManView.exedescription ioc process File created C:\Windows\TAPI\69ddcba757bf72 sp_componentbrowserFontDriverPerf.exe File opened for modification C:\Windows\INF\setupapi.dev.log DevManView.exe File created C:\Windows\TAPI\smss.exe sp_componentbrowserFontDriverPerf.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 3536 sc.exe 4164 sc.exe 5028 sc.exe 620 sc.exe 4060 sc.exe 4020 sc.exe 3292 sc.exe 404 sc.exe 2880 sc.exe 780 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ContainerID DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000066\00000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Control DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LocationInformation DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Control DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Driver DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID DevManView.exe -
Modifies registry class 1 IoCs
Processes:
sp_componentbrowserFontDriverPerf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings sp_componentbrowserFontDriverPerf.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 2696 PING.EXE 824 PING.EXE 208 PING.EXE 360 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4252 schtasks.exe 4288 schtasks.exe 3184 schtasks.exe 2956 schtasks.exe 4900 schtasks.exe 3220 schtasks.exe 1984 schtasks.exe 4524 schtasks.exe 2272 schtasks.exe 3224 schtasks.exe 1384 schtasks.exe 1964 schtasks.exe 2200 schtasks.exe 1160 schtasks.exe 648 schtasks.exe 2920 schtasks.exe 1884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sp_componentbrowserFontDriverPerf.exepowershell.exepid process 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 1152 powershell.exe 1152 powershell.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe 920 sp_componentbrowserFontDriverPerf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sp_componentbrowserFontDriverPerf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 920 sp_componentbrowserFontDriverPerf.exe Token: SeDebugPrivilege 1152 powershell.exe Token: SeDebugPrivilege 3876 powershell.exe Token: SeDebugPrivilege 3372 powershell.exe Token: SeDebugPrivilege 592 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeIncreaseQuotaPrivilege 3372 powershell.exe Token: SeSecurityPrivilege 3372 powershell.exe Token: SeTakeOwnershipPrivilege 3372 powershell.exe Token: SeLoadDriverPrivilege 3372 powershell.exe Token: SeSystemProfilePrivilege 3372 powershell.exe Token: SeSystemtimePrivilege 3372 powershell.exe Token: SeProfSingleProcessPrivilege 3372 powershell.exe Token: SeIncBasePriorityPrivilege 3372 powershell.exe Token: SeCreatePagefilePrivilege 3372 powershell.exe Token: SeBackupPrivilege 3372 powershell.exe Token: SeRestorePrivilege 3372 powershell.exe Token: SeShutdownPrivilege 3372 powershell.exe Token: SeDebugPrivilege 3372 powershell.exe Token: SeSystemEnvironmentPrivilege 3372 powershell.exe Token: SeRemoteShutdownPrivilege 3372 powershell.exe Token: SeUndockPrivilege 3372 powershell.exe Token: SeManageVolumePrivilege 3372 powershell.exe Token: 33 3372 powershell.exe Token: 34 3372 powershell.exe Token: 35 3372 powershell.exe Token: 36 3372 powershell.exe Token: SeIncreaseQuotaPrivilege 4312 powershell.exe Token: SeSecurityPrivilege 4312 powershell.exe Token: SeTakeOwnershipPrivilege 4312 powershell.exe Token: SeLoadDriverPrivilege 4312 powershell.exe Token: SeSystemProfilePrivilege 4312 powershell.exe Token: SeSystemtimePrivilege 4312 powershell.exe Token: SeProfSingleProcessPrivilege 4312 powershell.exe Token: SeIncBasePriorityPrivilege 4312 powershell.exe Token: SeCreatePagefilePrivilege 4312 powershell.exe Token: SeBackupPrivilege 4312 powershell.exe Token: SeRestorePrivilege 4312 powershell.exe Token: SeShutdownPrivilege 4312 powershell.exe Token: SeDebugPrivilege 4312 powershell.exe Token: SeSystemEnvironmentPrivilege 4312 powershell.exe Token: SeRemoteShutdownPrivilege 4312 powershell.exe Token: SeUndockPrivilege 4312 powershell.exe Token: SeManageVolumePrivilege 4312 powershell.exe Token: 33 4312 powershell.exe Token: 34 4312 powershell.exe Token: 35 4312 powershell.exe Token: 36 4312 powershell.exe Token: SeIncreaseQuotaPrivilege 3000 powershell.exe Token: SeSecurityPrivilege 3000 powershell.exe Token: SeTakeOwnershipPrivilege 3000 powershell.exe Token: SeLoadDriverPrivilege 3000 powershell.exe Token: SeSystemProfilePrivilege 3000 powershell.exe Token: SeSystemtimePrivilege 3000 powershell.exe Token: SeProfSingleProcessPrivilege 3000 powershell.exe Token: SeIncBasePriorityPrivilege 3000 powershell.exe Token: SeCreatePagefilePrivilege 3000 powershell.exe Token: SeBackupPrivilege 3000 powershell.exe Token: SeRestorePrivilege 3000 powershell.exe Token: SeShutdownPrivilege 3000 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeSystemEnvironmentPrivilege 3000 powershell.exe Token: SeRemoteShutdownPrivilege 3000 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sync_spoofer.exepid process 4300 sync_spoofer.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
sync_spoofer.exeHpsrSpoof.execmd.exesp_componentbrowserFontDriverPerf.execmd.execmd.exedescription pid process target process PID 4300 wrote to memory of 1152 4300 sync_spoofer.exe powershell.exe PID 4300 wrote to memory of 1152 4300 sync_spoofer.exe powershell.exe PID 4300 wrote to memory of 1152 4300 sync_spoofer.exe powershell.exe PID 4300 wrote to memory of 4024 4300 sync_spoofer.exe HpsrSpoof.exe PID 4300 wrote to memory of 4024 4300 sync_spoofer.exe HpsrSpoof.exe PID 4300 wrote to memory of 920 4300 sync_spoofer.exe sp_componentbrowserFontDriverPerf.exe PID 4300 wrote to memory of 920 4300 sync_spoofer.exe sp_componentbrowserFontDriverPerf.exe PID 4300 wrote to memory of 976 4300 sync_spoofer.exe conhost_sft.exe PID 4300 wrote to memory of 976 4300 sync_spoofer.exe conhost_sft.exe PID 4024 wrote to memory of 5096 4024 HpsrSpoof.exe cmd.exe PID 4024 wrote to memory of 5096 4024 HpsrSpoof.exe cmd.exe PID 5096 wrote to memory of 1240 5096 cmd.exe Volumeid64.exe PID 5096 wrote to memory of 1240 5096 cmd.exe Volumeid64.exe PID 920 wrote to memory of 3372 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 3372 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 4312 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 4312 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 3000 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 3000 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 3876 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 3876 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 592 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 592 920 sp_componentbrowserFontDriverPerf.exe powershell.exe PID 920 wrote to memory of 4068 920 sp_componentbrowserFontDriverPerf.exe cmd.exe PID 920 wrote to memory of 4068 920 sp_componentbrowserFontDriverPerf.exe cmd.exe PID 4068 wrote to memory of 3172 4068 cmd.exe chcp.com PID 4068 wrote to memory of 3172 4068 cmd.exe chcp.com PID 4068 wrote to memory of 360 4068 cmd.exe PING.EXE PID 4068 wrote to memory of 360 4068 cmd.exe PING.EXE PID 4024 wrote to memory of 2876 4024 HpsrSpoof.exe schtasks.exe PID 4024 wrote to memory of 2876 4024 HpsrSpoof.exe schtasks.exe PID 2876 wrote to memory of 200 2876 cmd.exe ChromeUpdate.exe PID 2876 wrote to memory of 200 2876 cmd.exe ChromeUpdate.exe PID 2876 wrote to memory of 4432 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4432 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4056 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4056 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4928 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4928 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 308 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 308 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 196 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 196 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 908 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 908 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 208 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 208 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 2292 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 2292 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 2824 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 2824 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 356 2876 cmd.exe powercfg.exe PID 2876 wrote to memory of 356 2876 cmd.exe powercfg.exe PID 2876 wrote to memory of 3304 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 3304 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4568 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4568 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 3184 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 3184 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4284 2876 cmd.exe DevManView.exe PID 2876 wrote to memory of 4284 2876 cmd.exe DevManView.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sync_spoofer.exe"C:\Users\Admin\AppData\Local\Temp\sync_spoofer.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcwBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAcQB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAbgBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdwByACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"C:\Users\Admin\AppData\Roaming\HpsrSpoof.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CA7D-R9TV3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: CA7D-R9TV4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Disk.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk drive*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "C:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "D:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "E:\"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "F:\"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "G:\"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "disk"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "Disk&*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "USBSTOR*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "SCSI\Disk*" /use_wildcard""4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "STORAGE*" /use_wildcard""4⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\ProgramData\Microsoft\Windows\DevManView.exeC:\\ProgramData\\Microsoft\\Windows\\DevManView.exe /uninstall "WAN Miniport*" /use_wildcard""4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Checks SCSI registry key(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12481HP-TRGT7160AB4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212481HP-TRGT7160RV4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812485HP-TRGT17909SG4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512485HP-TRGT17909SL4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412485HP-TRGT17909FA4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612485HP-TRGT17909FU4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312488HP-TRGT28657DQ4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712488HP-TRGT28657MST4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12504HP-TRGT16863AB4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212504HP-TRGT16863RV4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812504HP-TRGT16863SG4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512504HP-TRGT16863SL4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412504HP-TRGT16863FA4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612504HP-TRGT16863FU4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312504HP-TRGT16863DQ4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712504HP-TRGT16863MST4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS %RANDOM%HP-TRGT%RANDOM%AB3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SS 12521HP-TRGT5069AB4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 2%RANDOM%HP-TRGT%RANDOM%RV3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SV 212521HP-TRGT5069RV4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 8%RANDOM%HP-TRGT%RANDOM%SG3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 812521HP-TRGT5069SG4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SU auto4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 5%RANDOM%HP-TRGT%RANDOM%SL3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SK 512521HP-TRGT5069SL4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 4%RANDOM%HP-TRGT%RANDOM%FA3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BM 412521HP-TRGT5069FA4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 6%RANDOM%HP-TRGT%RANDOM%FU3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BS 612521HP-TRGT5069FU4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 3%RANDOM%HP-TRGT%RANDOM%DQ3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /BV 312521HP-TRGT5069DQ4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 7%RANDOM%HP-TRGT%RANDOM%MST3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /PSN 712521HP-TRGT5069MST4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF3⤵
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeC:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe /SM HOPESA-RSPPOF4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9SU9-B7AH3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe a: 9SU9-B7AH4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UI4F-USB93⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe b: UI4F-USB94⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe c: O4GF-4VV53⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe c: O4GF-4VV54⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 8R1V-UCPT3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe d: 8R1V-UCPT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DJBK-4UMS3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe e: DJBK-4UMS4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 9UJ5-OZAC3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe f: 9UJ5-OZAC4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe g: T54F-9LB03⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe g: T54F-9LB04⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R37U-73CA3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe h: R37U-73CA4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 93KF-TBUU3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe i: 93KF-TBUU4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe j: L2K0-9MTE3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe j: L2K0-9MTE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 3KS1-9IBV3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe k: 3KS1-9IBV4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe l: PHTO-BKJT3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe l: PHTO-BKJT4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe m: N64Z-10MC3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe m: N64Z-10MC4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 83G0-KMGV3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe n: 83G0-KMGV4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe o: C7DA-1HPE3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe o: C7DA-1HPE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe p: LRAM-47N03⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe p: LRAM-47N04⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe r: V524-PTIO3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe r: V524-PTIO4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 79HB-DLI93⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe s: 79HB-DLI94⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe t: NGZH-4N853⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe t: NGZH-4N854⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe u: ZVL1-1SJE3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe u: ZVL1-1SJE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 6KU4-G7RA3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe v: 6KU4-G7RA4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe y: SM5I-6DLA3⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe y: SM5I-6DLA4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 00B2-I3V43⤵
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeC:\ProgramData\Microsoft\Windows\Volumeid64.exe z: 00B2-I3V44⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.cfg3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.chm3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\DevManView.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amide.sys3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\amifldrv64.sys3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\ProgramData\Microsoft\Windows\Disk.bat3⤵
-
C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe"C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\smss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\unsecapp.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6lE2IkKRbl.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Users\Public\Pictures\unsecapp.exe"C:\Users\Public\Pictures\unsecapp.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rAhl4fNEA5.bat"5⤵
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Public\Pictures\unsecapp.exe"C:\Users\Public\Pictures\unsecapp.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DITavvsiMU.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\Users\Public\Pictures\unsecapp.exe"C:\Users\Public\Pictures\unsecapp.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\updpj3XpIL.bat"9⤵
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Users\Public\Pictures\unsecapp.exe"C:\Users\Public\Pictures\unsecapp.exe"10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jKeWzk8OD4.bat"11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Users\Public\Pictures\unsecapp.exe"C:\Users\Public\Pictures\unsecapp.exe"12⤵
-
C:\Users\Admin\AppData\Roaming\conhost_sft.exe"C:\Users\Admin\AppData\Roaming\conhost_sft.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"1⤵
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\bozscvkmidso.xml"1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵
-
C:\Program Files\Google\Chrome\ChromeUpdate.exe"C:\Program Files\Google\Chrome\ChromeUpdate.exe"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\bozscvkmidso.xml"1⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\AMIDEWINx64.exeFilesize
452KB
MD5c4d09d3b3516550ad2ded3b09e28c10c
SHA17a5e77bb9ba74cf57cb1d119325b0b7f64199824
SHA25666433a06884f28fdabb85a73c682d1587767e1dfa116907559ec00ed8d0919d3
SHA5122e7800aae592d38c4a6c854b11d0883de70f938b29d78e257ab47a8a2bbf09121145d0a9aea9b56c16e18cde31b693d31d7ebfcd0473b7c15df5d7ae6708bbd2
-
C:\ProgramData\Microsoft\Windows\DevManView.cfgFilesize
1KB
MD543b37d0f48bad1537a4de59ffda50ffe
SHA148ca09a0ed8533bf462a56c43b8db6e7b6c6ffa8
SHA256fc258dfb3e49be04041ac24540ef544192c2e57300186f777f301d586f900288
SHA512cfb1d98328aed36d2fe9df008a95c489192f01d4bb20de329e69e0386129aff4634e6fd63a8d49e14fc96da75c9b5ed3a218425846907d0122267d50fc8d7a82
-
C:\ProgramData\Microsoft\Windows\DevManView.exeFilesize
162KB
MD533d7a84f8ef67fd005f37142232ae97e
SHA11f560717d8038221c9b161716affb7cd6b14056e
SHA256a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b
SHA512c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5
-
C:\ProgramData\Microsoft\Windows\Disk.batFilesize
1KB
MD5250e75ba9aac6e2e9349bdebc5ef104e
SHA17efdaef5ec1752e7e29d8cc4641615d14ac1855f
SHA2567d50c4fdcf6d8716c7d0d39517d479b3eeee02d2020ed635327405ae49c42516
SHA5127f0d7d41c9eafcd65daa674b5182cf52e11aa0f6d6baaee74fe4c4ffc08a163277c4981cd123af0cb1857ae6fd223b5e8c676d9dc5c646a870fbd9bc4001c438
-
C:\ProgramData\Microsoft\Windows\Volumeid64.exeFilesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
C:\ProgramData\Microsoft\Windows\amifldrv64.sysFilesize
18KB
MD5785045f8b25cd2e937ddc6b09debe01a
SHA1029c678674f482ababe8bbfdb93152392457109d
SHA25637073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba
SHA51240bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e3ee4c7aaddca79dbf4f301e4869b273
SHA105721282a5a5f7ccce1ffd2854af0d4358d93239
SHA2565644a47ba60cad98277985d017391e6b98564f726d38cef7acda5657b6607733
SHA5129e2748bc36d91c2bb645f620f6657f4cacf0c7d31beacaa01a205af5bcaf5e3b58aa745d4c2cc5397138aa8e7049e99e8e30305425e55207f154e77711920129
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD595cd62d55c15f43e7a132b7f0fd87313
SHA184031c35808061cbf32b6ff83008b39e0cf36354
SHA256866e790eaec392c6faa1001f45f381ff18d7da85b5606114e02938ae9638591d
SHA51221c24b6650ab0c18bc26cc8140f903353c1341dfdea3addcfdea5955fab1cc32b7a61f95335e594586560b5d8e8dbabe09b0965586b7d2261a5317956f5bca8e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bbb673277fae96ee4bc299672085e949
SHA1731ccb1581a06bff2ca36ca46b20c91c9adc468c
SHA25621a0a3c47eb15cec5d37688a67369836fda0164d0cd5afaa9a2aa52fb838685d
SHA512aa0efc1683991ed68027f0fbd1dfcf0616dd0c328bd015cb43987411e454e0583e8cc1a45bc9f689e873007071e0923d9be10a6db689ba268a167f856b6a8425
-
C:\Users\Admin\AppData\Local\Temp\6lE2IkKRbl.batFilesize
165B
MD5af1054756ba938a6ad2b78ebe3aae02b
SHA1dc58b7d57b693e01498c2957f24737ef39d690fb
SHA256a06036fdaa8607937c292d0952ee97277c5984d52954a2845d3a54e903083578
SHA512db22f8f090fa84578a086990c37f49ecfae4a571dee043d0110373e25fd601a48b39a276aef82def1a105d4cbfb7106836d1db44932096ed36c1d2d960a2d5d7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtzjrcwf.rfo.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\bozscvkmidso.xmlFilesize
1KB
MD511c4206f3a1782d15708f1197d3d5036
SHA1a9bd700df93ff11f876a15e4cedc2a8ab3bf5d08
SHA256cd4530040d181100ddb0ab7428e4c3e3a65e9b2cbb475706144666fd4db6ac55
SHA512ab33e882edf236262ee3723f8f3e3ce79939cb4d86e73a81f796639b57e549b5b71b8bff99959db00ace30ce22b1d676718d903b50976f351dcdcfd587252bff
-
C:\Users\Admin\AppData\Local\Temp\rAhl4fNEA5.batFilesize
165B
MD5aed2ed3cee46497be5a262abb6f44847
SHA13e9159ea3e123fb2b530d6df329b5d0143cd5e3e
SHA256d94654d7e9fc0256acfb0fc801248992e302413b2c7b15a2efe134802be8edd6
SHA512b411c76c3074dd3f73d032b397154b532905525e27023a00696bdeb39cb6a6f527835746746781c5d308070b1482106902ea1d42fa9437aa9a58c409d4f7d240
-
C:\Users\Admin\AppData\Roaming\HpsrSpoof.exeFilesize
905KB
MD5dd1313842898ffaf72d79df643637ded
SHA193a34cb05fdf76869769af09a22711deea44ed28
SHA25681b27a565d2eb4701c404e03398a4bca48480e592460121bf8ec62c5f4b061df
SHA512db8cdcbfca205e64f1838fc28ea98107c854a4f31f617914e45c25d37da731b876afc36f816a78839d7b48b3c2b90f81856c821818f27239a504ab4253fe28f9
-
C:\Users\Admin\AppData\Roaming\conhost_sft.exeFilesize
4.4MB
MD5673b523777d7f575004e47668bcedfd2
SHA153fd77b4189dd696f942d6092ce96f9966c67f21
SHA256b255fd532cb851be74f4d72ca572e34916d218138abdaf9cd5c41298f3aee903
SHA512164fedbefad95fd3d785ed302a5ce890e13d48138e273ae4d66b3c4bd5b46d0095217d77e9c41f275a7d3efb4a885866788e44cfbafaf1a16b2c0099418b25dc
-
C:\Users\Admin\AppData\Roaming\sp_componentbrowserFontDriverPerf.exeFilesize
859KB
MD5d18283d6cfe1d4fd930f8b80ef786e86
SHA1dfc7d3a930bbc69f3b0e54c9333ab991d79a85f6
SHA2566d3fb4f323e7a18336f671001a885433418658e9ac244c6e9d8fb961340836b3
SHA512c733e98328738a4664afdaf1dad6fa656064df68920c889b38c3d716b0d5d8f4d16a60b943e04f619a6445f0a66895caa3e0176465a531c738bc9995f0f1ae67
-
memory/200-816-0x00007FF6DEE80000-0x00007FF6DF2F8000-memory.dmpFilesize
4.5MB
-
memory/200-649-0x00007FF6DEE80000-0x00007FF6DF2F8000-memory.dmpFilesize
4.5MB
-
memory/920-68-0x0000000002490000-0x000000000249E000-memory.dmpFilesize
56KB
-
memory/920-13-0x00000000002A0000-0x0000000000378000-memory.dmpFilesize
864KB
-
memory/920-47-0x0000000002400000-0x000000000240E000-memory.dmpFilesize
56KB
-
memory/920-49-0x0000000002440000-0x000000000245C000-memory.dmpFilesize
112KB
-
memory/920-50-0x00000000024B0000-0x0000000002500000-memory.dmpFilesize
320KB
-
memory/920-52-0x0000000002460000-0x0000000002478000-memory.dmpFilesize
96KB
-
memory/920-54-0x0000000002410000-0x000000000241E000-memory.dmpFilesize
56KB
-
memory/920-195-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmpFilesize
9.9MB
-
memory/920-64-0x0000000002420000-0x000000000242E000-memory.dmpFilesize
56KB
-
memory/920-66-0x0000000002480000-0x000000000248C000-memory.dmpFilesize
48KB
-
memory/920-70-0x00000000024A0000-0x00000000024AC000-memory.dmpFilesize
48KB
-
memory/920-14-0x00007FFF5DA73000-0x00007FFF5DA74000-memory.dmpFilesize
4KB
-
memory/920-21-0x00000000023B0000-0x00000000023F0000-memory.dmpFilesize
256KB
-
memory/920-22-0x00007FFF5DA70000-0x00007FFF5E45C000-memory.dmpFilesize
9.9MB
-
memory/976-561-0x00007FF7984F0000-0x00007FF798968000-memory.dmpFilesize
4.5MB
-
memory/976-627-0x00007FF7984F0000-0x00007FF798968000-memory.dmpFilesize
4.5MB
-
memory/1152-334-0x0000000009940000-0x000000000995A000-memory.dmpFilesize
104KB
-
memory/1152-34-0x0000000004AB0000-0x0000000004AE6000-memory.dmpFilesize
216KB
-
memory/1152-97-0x00000000099B0000-0x0000000009A44000-memory.dmpFilesize
592KB
-
memory/1152-44-0x00000000085B0000-0x00000000085FB000-memory.dmpFilesize
300KB
-
memory/1152-43-0x00000000082A0000-0x00000000082BC000-memory.dmpFilesize
112KB
-
memory/1152-45-0x0000000008520000-0x0000000008596000-memory.dmpFilesize
472KB
-
memory/1152-348-0x0000000009930000-0x0000000009938000-memory.dmpFilesize
32KB
-
memory/1152-42-0x0000000007E90000-0x00000000081E0000-memory.dmpFilesize
3.3MB
-
memory/1152-37-0x00000000075A0000-0x0000000007606000-memory.dmpFilesize
408KB
-
memory/1152-38-0x0000000007710000-0x0000000007776000-memory.dmpFilesize
408KB
-
memory/1152-36-0x0000000007500000-0x0000000007522000-memory.dmpFilesize
136KB
-
memory/1152-35-0x0000000007810000-0x0000000007E38000-memory.dmpFilesize
6.2MB
-
memory/1152-96-0x00000000095F0000-0x0000000009695000-memory.dmpFilesize
660KB
-
memory/1152-89-0x0000000009470000-0x00000000094A3000-memory.dmpFilesize
204KB
-
memory/1152-91-0x0000000009450000-0x000000000946E000-memory.dmpFilesize
120KB
-
memory/1152-90-0x0000000073960000-0x00000000739AB000-memory.dmpFilesize
300KB
-
memory/3372-253-0x00000242EBAE0000-0x00000242EBB56000-memory.dmpFilesize
472KB
-
memory/3876-192-0x00000202A4240000-0x00000202A4262000-memory.dmpFilesize
136KB
-
memory/4264-829-0x00007FF721C40000-0x00007FF721C53000-memory.dmpFilesize
76KB
-
memory/4300-18-0x0000000000400000-0x0000000001437000-memory.dmpFilesize
16.2MB
-
memory/4300-0-0x0000000000400000-0x0000000001437000-memory.dmpFilesize
16.2MB
-
memory/4300-23-0x000000007FAD0000-0x000000007FEA1000-memory.dmpFilesize
3.8MB
-
memory/4300-1-0x000000007FAD0000-0x000000007FEA1000-memory.dmpFilesize
3.8MB
-
memory/4628-680-0x00000281F7F00000-0x00000281F7F1C000-memory.dmpFilesize
112KB
-
memory/4628-686-0x00000281F81D0000-0x00000281F8289000-memory.dmpFilesize
740KB
-
memory/4628-719-0x00000281F7F20000-0x00000281F7F2A000-memory.dmpFilesize
40KB